maxkabakov - Fotolia
Microsoft Windows Defender Device Guard offers a variety of capabilities, but IT professionals must enable Device Guard properly.
First, IT pros must ensure that the underlying hardware meets the minimum requirements for Device Guard. This includes a 64-bit processor with virtualization extensions, such as Intel VT-x, AMD-V and extended page tables; Trusted Platform Module 2.0; Unified Extensible Firmware Interface (UEFI) 2.3.1.c or later with Secure Boot enabled; and Hypervisor Enforced Code Integrity compatible Windows drivers.
In addition, IT must handle firmware updates through Windows Update, and the system must support Hardware Security Test Interface standards.
Enabling Windows Defender Device Guard
To enable Windows Defender Exploit Guard and Application Control features, IT can use desktop management tools including Group Policy, Microsoft System Center Configuration Manager, Windows PowerShell and Microsoft Intune.
The Windows Defender Device Guard features are virtualization-based, so IT must enable Hyper-V before they deploy anything from Device Guard. For example, endpoints running Windows 10 Enterprise or Education editions can enable Hyper-V through the Windows Features dialog by typing "Turn Windows features on or off" in the Search dialog on the Taskbar.
After IT enables Hyper-V, it can open the Local Group Policy Editor -- gpedit.msc. Desktop administrators can launch the editor directly by typing "gpedit.msc" in the Run bar, or through Windows Search by typing "gpedit.msc" in the Search bar and selecting the corresponding applet from the results. If the file is not found, IT may need to install the Local Group Policy Editor.
Once the Local Group Policy Editor starts, desktop admins should navigate to the "Computer Configuration\Administrative Templates\System\Device Guard" key and locate the "Turn On Virtualization Based Security" policy entry. IT pros should double-click the entry, enable the desired feature and select options such as Secure Boot and UEFI lock. After configuring the features, IT pros should close the Local Group Policy Editor and restart the computer.
If administrators would prefer to use Windows PowerShell to manage Windows Defender Device Guard features, Microsoft provides a Device Guard and Credential Guard hardware readiness tool which runs a PowerShell script to check hardware and enable Device Guard.
Dig Deeper on Windows 10 security and management
Related Q&A from Stephen J. Bigelow
Containers have rapidly come into focus as a popular option for deploying applications, but they have limitations and are fundamentally different ... Continue Reading
ALM and SDLC both cover much of the same ground, such as development, testing and deployment. Where these lifecycle concepts differ is the scope of ... Continue Reading
Eliciting performance requirements from business end users necessitates a clearly defined scope and the right set of questions. Expert Mary Gorman ... Continue Reading